lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (SOLR-4882) Restrict SolrResourceLoader to only classloader accessible files and instance dir
Date Mon, 02 Dec 2013 11:02:36 GMT


ASF subversion and git services commented on SOLR-4882:

Commit 1546958 from [~thetaphi] in branch 'dev/branches/lucene_solr_3_6'
[ ]

SOLR-5520: Backport of SOLR-4882 (SolrResourceLoader was restricted to only allow access to
resource files below the instance dir)

> Restrict SolrResourceLoader to only classloader accessible files and instance dir
> ---------------------------------------------------------------------------------
>                 Key: SOLR-4882
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 4.3
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>             Fix For: 4.6, 5.0
>         Attachments: SOLR-4882.patch, SOLR-4882.patch, SOLR-4882.patch
> SolrResourceLoader currently allows to load files from any absolute/CWD-relative path,
which is used as a fallback if the resource cannot be looked up via the class loader.
> We should limit this fallback to sub-dirs below the instanceDir passed into the ctor.
The CWD special case should be removed, too (the virtual CWD is instance's config or root
> The reason for this is security related. Some Solr components allow to pass in resource
paths via REST parameters (e.g. XSL stylesheets, velocity templates,...) and load them via
resource loader. By this it is possible to limit the whole thing to
> not allow loading e.g. /etc/passwd as a stylesheet.
> In 4.4 we should add a solrconfig.xml setting to enable the old behaviour, but disable
it by default, if your existing installation requires the files from outside the instance
dir which are not available via the URLClassLoader used internally. In Lucene 5.0 we should
not support this anymore.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message